Refactored out Servlet dependencies from core and toolkit

- Introduced `servlet-jakarta` and `servlet-javax`
- Teased apart HTTP request and HTTP response objects along a common seam
- Bumped version to 3.0.0

Also, bump dependencies so OWASP check passes from:

Author: r-herasymenk <r.herasymenk@samsung.com>
Date:   Tue Jul 25 10:45:02 2023 -0700

$ mvn clean install
...
[ERROR] Failed to execute goal org.owasp:dependency-check-maven:6.3.1:check (default) on project java-saml-core:
[ERROR]
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7.0':
[ERROR]
[ERROR] accessors-smart-2.4.7.jar: CVE-2022-45688
[ERROR] jackson-core-2.13.4.jar: CVE-2022-45688
[ERROR] json-smart-2.4.7.jar: CVE-2023-1370
[ERROR] netty-codec-4.1.68.Final.jar: CVE-2022-41881
[ERROR] netty-transport-4.1.68.Final.jar: CVE-2022-41881
[ERROR] stax2-api-4.2.1.jar: CVE-2022-40152
[ERROR] woodstox-core-6.2.6.jar/META-INF/maven/com.sun.xml.bind.jaxb/isorelax/pom.xml: CVE-2023-34411
[ERROR] woodstox-core-6.2.6.jar: CVE-2022-40152

core/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.onelogin</groupId>
 		<artifactId>java-saml-toolkit</artifactId>
-		<version>2.9.1-SNAPSHOT</version>
+		<version>3.0.0-SNAPSHOT</version>
 	</parent>
 
 	<packaging>jar</packaging>
@@ -27,15 +27,23 @@
 			<artifactId>junit</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockit-core</artifactId>
+			<version>1.10.19</version>
+			<scope>test</scope>
+		</dependency>
 
 		<!-- for log -->
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>slf4j-api</artifactId>
+			<version>2.0.5</version>
 		</dependency>
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-classic</artifactId>
+			<version>1.4.7</version>
 			<optional>true</optional>
 		</dependency>
 
@@ -69,6 +77,13 @@
 			<version>1.10.1</version>
 			<optional>true</optional>
 		</dependency>
+
+		<dependency>
+			<groupId>com.fasterxml.jackson.core</groupId>
+			<artifactId>jackson-databind</artifactId>
+			<version>2.15.2</version>
+			<optional>true</optional>
+		</dependency>
 	</dependencies>
 
 	<build>

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -15,6 +15,7 @@
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPathExpressionException;
 
+import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.model.hsm.HSM;
 
 import org.apache.commons.lang3.StringUtils;
@@ -28,7 +29,6 @@
 import org.xml.sax.SAXException;
 import com.onelogin.saml2.exception.SettingsException;
 import com.onelogin.saml2.exception.ValidationError;
-import com.onelogin.saml2.http.HttpRequest;
 import com.onelogin.saml2.model.SamlResponseStatus;
 import com.onelogin.saml2.model.SubjectConfirmationIssue;
 import com.onelogin.saml2.settings.Saml2Settings;

core/src/main/java/com/onelogin/saml2/http/HttpRequest.java

@@ -1,150 +1,56 @@
 package com.onelogin.saml2.http;
 
-import static com.onelogin.saml2.util.Preconditions.checkNotNull;
-import static java.util.Collections.unmodifiableList;
-import static java.util.Collections.unmodifiableMap;
+import com.onelogin.saml2.util.Util;
 
-import java.util.ArrayList;
-import java.util.Collections;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.apache.commons.lang3.StringUtils;
-
-import com.onelogin.saml2.util.Util;
-
 /**
- * Framework-agnostic representation of an HTTP request.
+ * Framework-agnostic definition of an HTTP request with a very minimal set of
+ * methods needed to support the SAML handshake.
  *
- * @since 2.0.0
+ * @since 3.0.0
  */
-public final class HttpRequest {
+public interface HttpRequest {
 
-    public static final Map<String, List<String>> EMPTY_PARAMETERS = Collections.<String, List<String>>emptyMap();
+    int getServerPort();
 
-    private final String requestURL;
-    private final Map<String, List<String>> parameters;
-    private final String queryString;
+    String getScheme();
 
-    /**
-     * Creates a new HttpRequest.
-     *
-     * @param requestURL the request URL (up to but not including query parameters)
-     * @throws NullPointerException if requestURL is null
-     * @deprecated Not providing a queryString can cause HTTP Redirect binding to fail.
-     */
-    @Deprecated
-    public HttpRequest(String requestURL) {
-        this(requestURL, EMPTY_PARAMETERS);
-    }
+    String getServerName();
 
-    /**
-     * Creates a new HttpRequest.
-     *
-     * @param requestURL  the request URL (up to but not including query parameters)
-     * @param queryString string that is contained in the request URL after the path
-     */
-    public HttpRequest(String requestURL, String queryString) {
-        this(requestURL, EMPTY_PARAMETERS, queryString);
-    }
+    String getRequestURL();
 
-    /**
-     * Creates a new HttpRequest.
-     *
-     * @param requestURL  the request URL (up to but not including query parameters)
-     * @param parameters the request query parameters
-     * @throws NullPointerException if any of the parameters is null
-     * @deprecated Not providing a queryString can cause HTTP Redirect binding to fail.
-     */
-    @Deprecated
-    public HttpRequest(String requestURL, Map<String, List<String>> parameters) {
-        this(requestURL, parameters, null);
-    }
+    String getRequestURI();
 
-    /**
-     * Creates a new HttpRequest.
-     *
-     * @param requestURL  the request URL (up to but not including query parameters)
-     * @param parameters the request query parameters
-     * @param queryString string that is contained in the request URL after the path
-     * @throws NullPointerException if any of the parameters is null
-     */
-    public HttpRequest(String requestURL, Map<String, List<String>> parameters, String queryString) {
-        this.requestURL = checkNotNull(requestURL, "requestURL");
-        this.parameters = unmodifiableCopyOf(checkNotNull(parameters, "queryParams"));
-        this.queryString = StringUtils.trimToEmpty(queryString);
-    }
-
-    /**
-     * @param name  the query parameter name
-     * @param value the query parameter value
-     * @return a new HttpRequest with the given query parameter added
-     * @throws NullPointerException if any of the parameters is null
-     */
-    public HttpRequest addParameter(String name, String value) {
-        checkNotNull(name, "name");
-        checkNotNull(value, "value");
+    String getQueryString();
 
-        final List<String> oldValues = parameters.containsKey(name) ? parameters.get(name) : new ArrayList<String>();
-        final List<String> newValues = new ArrayList<>(oldValues);
-        newValues.add(value);
-        final Map<String, List<String>> params = new HashMap<>(parameters);
-        params.put(name, newValues);
-
-        return new HttpRequest(requestURL, params, queryString);
-    }
+    void invalidateSession();
 
-    /**
-     * @param name  the query parameter name
-     * @return a new HttpRequest with the given query parameter removed
-     * @throws NullPointerException if any of the parameters is null
-     */
-    public HttpRequest removeParameter(String name) {
-        checkNotNull(name, "name");
+    Map<String, String[]> getParameterMap();
 
-        final Map<String, List<String>> params = new HashMap<>(parameters);
-        params.remove(name);
+    default List<String> getParameters(String name) {
+        final Map<String, String[]> paramsAsArray = getParameterMap();
+        final Map<String, List<String>> paramsAsList = new HashMap<>();
+        for (Map.Entry<String, String[]> param : paramsAsArray.entrySet()) {
+            paramsAsList.put(param.getKey(), Arrays.asList(param.getValue()));
+        }
 
-        return new HttpRequest(requestURL, params, queryString);
-    }
-
-    /**
-     * The URL the client used to make the request. Includes a protocol, server name, port number, and server path, but
-     * not the query string parameters.
-     *
-     * @return the request URL
-     */
-    public String getRequestURL() {
-        return requestURL;
+        return paramsAsList.get(name);
     }
 
-    /**
-     * @param name the query parameter name
-     * @return the first value for the parameter, or null
-     */
-    public String getParameter(String name) {
+    default String getParameter(String name) {
         List<String> values = getParameters(name);
-        return values.isEmpty() ? null : values.get(0);
-    }
-
-    /**
-     * @param name the query parameter name
-     * @return a List containing all values for the parameter
-     */
-    public List<String> getParameters(String name) {
-        List<String> values = parameters.get(name);
-        return values != null ? values : Collections.<String>emptyList();
+        return (values == null || values.isEmpty()) ? null : values.get(0);
     }
 
-    /**
-     * @return a map of all query parameters
-     */
-    public Map<String, List<String>> getParameters() {
-        return parameters;
+    default String getEncodedParameter(String name, String defaultValue) {
+        String value = getEncodedParameter(name);
+        return (value != null) ? value : Util.urlEncoder(defaultValue);
     }
 
     /**
@@ -155,7 +61,8 @@ public Map<String, List<String>> getParameters() {
      * @param name
      * @return the first value for the parameter, or null
      */
-    public String getEncodedParameter(String name) {
+    default String getEncodedParameter(String name) {
+        String queryString = getQueryString();
         Matcher matcher = Pattern.compile(Pattern.quote(name) + "=([^&#]+)").matcher(queryString);
         if (matcher.find()) {
             return matcher.group(1);
@@ -164,58 +71,4 @@ public String getEncodedParameter(String name) {
         }
     }
 
-    /**
-     * Return an url encoded get parameter value
-     * Prefer to extract the original encoded value directly from queryString since url
-     * encoding is not canonical.
-     *
-     * @param name
-     * @param defaultValue
-     * @return the first value for the parameter, or url encoded default value
-     */
-    public String getEncodedParameter(String name, String defaultValue) {
-            String value = getEncodedParameter(name);
-            return (value != null ? value : Util.urlEncoder(defaultValue));
-    }
-
-    @Override
-    public boolean equals(Object o) {
-        if (this == o) {
-        	return true;
-        }
-
-        if (o == null || getClass() != o.getClass()) {
-        	return false;
-        }
-
-        HttpRequest that = (HttpRequest) o;
-        return Objects.equals(requestURL, that.requestURL) &&
-                Objects.equals(parameters, that.parameters) &&
-                Objects.equals(queryString, that.queryString);
-    }
-
-    @Override
-    public int hashCode() {
-        return Objects.hash(requestURL, parameters, queryString);
-    }
-
-    @Override
-    public String toString() {
-        return "HttpRequest{" +
-                "requestURL='" + requestURL + '\'' +
-                ", parameters=" + parameters +
-                ", queryString=" + queryString +
-                '}';
-    }
-
-    private static Map<String, List<String>> unmodifiableCopyOf(Map<String, List<String>> orig) {
-        Map<String, List<String>> copy = new HashMap<>();
-        for (Map.Entry<String, List<String>> entry : orig.entrySet()) {
-            copy.put(entry.getKey(), unmodifiableList(new ArrayList<>(entry.getValue())));
-        }
-
-        return unmodifiableMap(copy);
-    }
-
-
 }

core/src/main/java/com/onelogin/saml2/http/HttpRequestUtils.java

@@ -0,0 +1,83 @@
+package com.onelogin.saml2.http;
+
+import org.apache.commons.lang3.StringUtils;
+
+public class HttpRequestUtils {
+
+    private HttpRequestUtils() {
+    }
+
+    /**
+     * Returns the protocol + the current host + the port (if different than
+     * common ports).
+     *
+     * @param request
+     * 				HttpServletRequest object to be processed
+     *
+     * @return the HOST URL
+     */
+    public static String getSelfURLhost(HttpRequest request) {
+        String hostUrl = StringUtils.EMPTY;
+        final int serverPort = request.getServerPort();
+        if ((serverPort == 80) || (serverPort == 443) || serverPort == 0) {
+            hostUrl = String.format("%s://%s", request.getScheme(), request.getServerName());
+        } else {
+            hostUrl = String.format("%s://%s:%s", request.getScheme(), request.getServerName(), serverPort);
+        }
+        return hostUrl;
+    }
+
+    /**
+     * Returns the URL of the current context + current view + query
+     *
+     * @param request
+     * 				HttpServletRequest object to be processed
+     *
+     * @return current context + current view + query
+     */
+    public static String getSelfURL(HttpRequest request) {
+        String url = getSelfURLhost(request);
+
+        String requestUri = request.getRequestURI();
+        String queryString = request.getQueryString();
+
+        if (null != requestUri && !requestUri.isEmpty()) {
+            url += requestUri;
+        }
+
+        if (null != queryString && !queryString.isEmpty()) {
+            url += '?' + queryString;
+        }
+        return url;
+    }
+
+    /**
+     * Returns the URL of the current host + current view.
+     *
+     * @param request
+     * 				HttpServletRequest object to be processed
+     *
+     * @return current host + current view
+     */
+    public static String getSelfURLNoQuery(HttpRequest request) {
+        return request.getRequestURL();
+    }
+
+    /**
+     * Returns the routed URL of the current host + current view.
+     *
+     * @param request
+     * 				HttpServletRequest object to be processed
+     *
+     * @return the current routed url
+     */
+    public static String getSelfRoutedURLNoQuery(HttpRequest request) {
+        String url = getSelfURLhost(request);
+        String requestUri = request.getRequestURI();
+        if (null != requestUri && !requestUri.isEmpty()) {
+            url += requestUri;
+        }
+        return url;
+    }
+
+}